AnyDBM and Apache

The former rdbm-lite package is now integrated into AnyDBM,
and is the basis for mod_auth_rdbm (Remote DBM
authentication) with the Apache Web Server.
This provides a lightweight but highly scaleable and efficient module
for HTTP Basic Authentication over a network. RDBM authentication is
similar to DBM or DB authentication, with the added benefits that:

Multiple webservers can share a user database, without the penalties of NFS.

Database locking is not an issue. So, for example, allowing write access
to the database from CGI programs is much simplified.

As against that are the drawbacks:

There is no provision for User namespace, so mod_auth_rdbm is
not well suited to multi-user (eg virtual hosting) environments.
It is best-suited to large single-site servers.

mod_auth_rdbm can open new security holes (any user with an RDBM Client
can talk to your server). To avoid this, use tcp access control
(eg with /etc/hosts.deny and hosts.allow) to restrict access.
A much weaker alternative is security-by-obscurity: change RDBM_P
in rdbm.const to something nobody will ever guess.

Availability

mod_auth_rdbm is a module for the Apache webserver.
It can be used with any underlying structure, provided you have
an RPC server meeting the AnyDBM/RDBM spec.
Implementations for NDBM, GDBM and Berkeley DB are included
with the AnyDBM distribution.

The code of this module is based on, and mostly identical to,
"mod_auth_dbm.c" from the 1.3b6 distribution. Note that
building it with earlier Apache distributions requires the
deletion of "ap_" from the front of many function names,
and building with 1.2.x will require you to convert (or
comment out) the error logging functions.

Configuration

Configuration directives (server conf or .htaccess) are:

AuthRDBMHost

the host on which the RDBM server is running
(e.g. "localhost", "192.168.0.254",
or "server.mydomain.org")

This is a simple CGI program that permits users to create their own
username/password entries in an RDBM database. It can be used as-is
(embedded in your own HTML page as an SSI), or you can incorporate
the main function pw_update() in your own registration program
(actually pw_update() itself is 'distilled' from a server-specific
registration program).

Operations permitted are new (add an entry) and delete (guess what ;-)
The code for "update" is there, but it isn't included in the HTML Form.

CGI Arguments are:

action

new(default) / update / delete

name

username to create. Any non-alphanumeric characters are
stripped out, and it is converted to lowercase. May be
modified by trunc and digits arguments (below).
The update and delete actions use REMOTE_USER and ignore name.

group

group for this user

password

If none is supplied, it generates a random 5-digit PIN.

trunc

maximum number of characters in name, above which it will
be truncated.

digits

Causes a number to be appended to name for uniqueness.
Example: user enters name "nick" with digits set to 3,
a name like "nick471" will be generated and is guaranteed
unique. If digits is unset, names will not be modified,
and a duplicate name will generate an error.

Whilst none of these are required, you will need to supply at least one
of name and action for the CGI to do anything sensible.